Skip to content

Commit 1eaef89

Browse files
eoftedaleoftedal
committed
Add CVE-2025-66478
1 parent 68b50e1 commit 1eaef89

File tree

6 files changed

+112
-0
lines changed

6 files changed

+112
-0
lines changed

repository/jsrepository-master.json

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5368,6 +5368,28 @@
53685368
"nextjs": {
53695369
"npmname": "next",
53705370
"vulnerabilities": [
5371+
{
5372+
"ranges": [
5373+
{
5374+
"atOrAbove": "14.3.0-canary.77",
5375+
"below": "15.0.5"
5376+
}
5377+
],
5378+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
5379+
"identifiers": {
5380+
"githubID": "GHSA-9qr9-h5gf-34mp",
5381+
"CVE": [
5382+
"CVE-2025-66478"
5383+
]
5384+
},
5385+
"severity": "critical",
5386+
"cwe": [
5387+
"CWE-502"
5388+
],
5389+
"info": [
5390+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
5391+
]
5392+
},
53715393
{
53725394
"ranges": [
53735395
{

repository/jsrepository-v2.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7591,6 +7591,24 @@
75917591
"https://vercel.com/changelog/cve-2025-57822"
75927592
]
75937593
},
7594+
{
7595+
"atOrAbove": "14.3.0-canary.77",
7596+
"below": "15.0.5",
7597+
"severity": "critical",
7598+
"cwe": [
7599+
"CWE-502"
7600+
],
7601+
"identifiers": {
7602+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
7603+
"githubID": "GHSA-9qr9-h5gf-34mp",
7604+
"CVE": [
7605+
"CVE-2025-66478"
7606+
]
7607+
},
7608+
"info": [
7609+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
7610+
]
7611+
},
75947612
{
75957613
"atOrAbove": "15.0.0",
75967614
"below": "15.1.2",

repository/jsrepository-v3.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7753,6 +7753,24 @@
77537753
"https://vercel.com/changelog/cve-2025-57822"
77547754
]
77557755
},
7756+
{
7757+
"atOrAbove": "14.3.0-canary.77",
7758+
"below": "15.0.5",
7759+
"severity": "critical",
7760+
"cwe": [
7761+
"CWE-502"
7762+
],
7763+
"identifiers": {
7764+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
7765+
"githubID": "GHSA-9qr9-h5gf-34mp",
7766+
"CVE": [
7767+
"CVE-2025-66478"
7768+
]
7769+
},
7770+
"info": [
7771+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
7772+
]
7773+
},
77567774
{
77577775
"atOrAbove": "15.0.0",
77587776
"below": "15.1.2",

repository/jsrepository-v4.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7752,6 +7752,24 @@
77527752
"https://vercel.com/changelog/cve-2025-57822"
77537753
]
77547754
},
7755+
{
7756+
"atOrAbove": "14.3.0-canary.77",
7757+
"below": "15.0.5",
7758+
"severity": "critical",
7759+
"cwe": [
7760+
"CWE-502"
7761+
],
7762+
"identifiers": {
7763+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
7764+
"githubID": "GHSA-9qr9-h5gf-34mp",
7765+
"CVE": [
7766+
"CVE-2025-66478"
7767+
]
7768+
},
7769+
"info": [
7770+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
7771+
]
7772+
},
77557773
{
77567774
"atOrAbove": "15.0.0",
77577775
"below": "15.1.2",

repository/jsrepository-v5.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7758,6 +7758,24 @@
77587758
"https://vercel.com/changelog/cve-2025-57822"
77597759
]
77607760
},
7761+
{
7762+
"atOrAbove": "14.3.0-canary.77",
7763+
"below": "15.0.5",
7764+
"severity": "critical",
7765+
"cwe": [
7766+
"CWE-502"
7767+
],
7768+
"identifiers": {
7769+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
7770+
"githubID": "GHSA-9qr9-h5gf-34mp",
7771+
"CVE": [
7772+
"CVE-2025-66478"
7773+
]
7774+
},
7775+
"info": [
7776+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
7777+
]
7778+
},
77617779
{
77627780
"atOrAbove": "15.0.0",
77637781
"below": "15.1.2",

repository/jsrepository.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7524,6 +7524,24 @@
75247524
"https://vercel.com/changelog/cve-2025-57822"
75257525
]
75267526
},
7527+
{
7528+
"atOrAbove": "14.3.0-canary.77",
7529+
"below": "15.0.5",
7530+
"severity": "critical",
7531+
"cwe": [
7532+
"CWE-502"
7533+
],
7534+
"identifiers": {
7535+
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
7536+
"githubID": "GHSA-9qr9-h5gf-34mp",
7537+
"CVE": [
7538+
"CVE-2025-66478"
7539+
]
7540+
},
7541+
"info": [
7542+
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
7543+
]
7544+
},
75277545
{
75287546
"atOrAbove": "15.0.0",
75297547
"below": "15.1.2",

0 commit comments

Comments
 (0)